Results 1 to 3 of 3
  1. #1
    DF VIP Member Bald Bouncer's Avatar
    Join Date
    Jun 2001
    Thanked:        5,768
    Karma Level

    BBC News Twitter flaw pumps out spam links

    A flaw in the website of micro-blogging service Twitter is being used to pump out pop-up messages and links to porn sites.

    Users only have to move their mouse over the link - not click it - to open it in the browser.

    Thousands of Twitter accounts have so far posted messages exploiting the flaw including Sarah Brown, the wife of former Prime Minister Gordon Brown.

    The malicious links look like a random URL and contain the code "onmouseover".

    This command - written in a programming language called Javascript - automatically directs users to another website, some of which contain pornography.

    "There is no legitimate reason to tweet Javascript," Graham Cluley, a researcher at security firm Sophos, told BBC News.

    He said that it looked like the initial vulnerability was exploited as a prank by users, but was now being spread by a worm, a self-replicating and malicious piece of code.

    "Simply being logged into Twitter and viewing these pages could mean that your own Twitter account could be hacked," said Mr Cluley.

    Until the flaw is fixed, users should use a third-party Twitter client - such as TweetDeck - rather than the website, he advised.

    "Don't use the website," he said.

    It is not the first time the service has suffered an attack.

    In April 2009, another worm spread links to a rival site, again showing unwanted messages on infected user accounts.

    Mr Cluley said that Twitter needs "much tighter control" over what users can contain in a tweet to prevent similar problems in the future.

    Twitter was not immediately available for comment.

    [Only registered and activated users can see links. ]

  2. #2
    DF PwNagE DJAd's Avatar
    Join Date
    Nov 2002
    Thanked:        40
    Karma Level

    Default Re: Twitter flaw pumps out spam links

    "Among the reported victims was the wife of the former Prime Minister Gordon Brown, who unwittingly sent out a link containing malicious code that sent followers to a Japanese hard-core porn site."


  3. #3
    DF Jedi -AMO-'s Avatar
    Join Date
    Jan 2003
    Thanked:        1
    Karma Level

    Default Re: Twitter flaw pumps out spam links

    Twitter posted on their blog about the exploit too..

    All about the "onMouseOver" incident

    The short story: This morning at 2:54 am PDT Twitter was notified of a security exploit that surfaced about a half hour before that, and we immediately went to work on fixing it. By 7:00 am PDT, the primary issue was solved. And, by 9:15 am PDT, a more minor but related issue tied to hovercards was also fixed.

    The longer story: The security exploit that caused problems this morning Pacific time was caused by cross-site scripting (XSS). Cross-site scripting is the practice of placing code from an untrusted website into another one. In this case, users submitted javascript code as plain text into a Tweet that could be executed in the browser of another user.

    We discovered and patched this issue last month. However, a recent site update (unrelated to new Twitter) unknowingly resurfaced it.

    Early this morning, a user noticed the security hole and took advantage of it on First, someone created an account that exploited the issue by turning tweets different colors and causing a pop-up box with text to appear when someone hovered over the link in the Tweet. This is why folks are referring to this an “onMouseOver” flaw -- the exploit occurred when someone moused over a link.

    Other users took this one step further and added code that caused people to retweet the original Tweet without their knowledge.

    This exploit affected and did not impact our mobile web site or our mobile applications. The vast majority of exploits related to this incident fell under the prank or promotional categories. Users may still see strange retweets in their timelines caused by the exploit. However, we are not aware of any issues related to it that would cause harm to computers or their accounts. And, there is no need to change passwords because user account information was not compromised through this exploit.

    We’re not only focused on quickly resolving exploits when they surface but also on identifying possible vulnerabilities beforehand. This issue is now resolved. We apologize to those who may have encountered it.

    [Only registered and activated users can see links. ]

Similar Threads

  1. Fed pumps $1.2tn into US economy
    By 4me2 in forum News & Current Affairs
    Replies: 0
    Last Post: 18th March 2009, 08:06 PM
  2. Petrol companies told to cut prices at pumps
    By Roach-Rampino in forum News & Current Affairs
    Replies: 0
    Last Post: 17th October 2008, 10:12 AM
  3. Policed at the pumps ?
    By Tought You in forum The Dog and Duck
    Replies: 17
    Last Post: 14th January 2008, 07:29 PM
  4. Wanted : aquarium air pumps
    By andy8519 in forum Buy, Sell and Trade
    Replies: 0
    Last Post: 3rd August 2006, 11:57 AM
  5. A useful cheat/flaw
    By JMC in forum PC Gaming
    Replies: 3
    Last Post: 1st April 2003, 01:40 AM

Social Networking Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts